Submission to the Debian BTS (July 10th, 2013)

In two weeks (the 10th of July of 2013), we will pull the latest package from
debian unstable and re-run our testcase. Hopefully, you will have had time to
update the package with a fix. If the crash still exists, then we will go ahead
and submit a report to the Debian BTS. The main reason behind the preview is to
give you time to assess the seriousness of the bug so that you can prepare an
urgent security patch if necessary. If the bug is security critical and you do
not have time to release a fix in the given time frame, please contact us at
alexandre@cmu.edu so that we can delay the public disclosure.

Update status

We would like to keep track of statistics of the bugs, so we would really
appreciate it if you took the time to update its status.

Status

How was the bug found?

We found the bug using Mayhem,
an automatic bug finding system that we've been developing in David Brumley's
research lab for a couple of years now. We recently ran Mayhem on almost all
ELF binaries of Debian Wheezy (~23,000 binaries) for 5 minutes each, and we
found thousands of crashes on thousands of application.

Our goal here is to make bug reports as complete and accurate as possible,
so that we are not wasting your time. To minimize duplicates, we are reporting
only one crash per binary, and at most 5 crashes per package. This amounts to
1,182 crashes. Moreover, to ensure accuracy, we confirmed all the crashes by
re-running them in a fresh unstable installation. Finally, we also filter out
assertion failures for now, as they seemed less important. In short, this
report is reproducible and actionable.